From owner-freebsd-hackers Wed Apr 29 10:35:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA19465 for freebsd-hackers-outgoing; Wed, 29 Apr 1998 10:35:48 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA19444 for ; Wed, 29 Apr 1998 10:35:22 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (950413.SGI.8.6.12/950213.SGI.AUTOCF) id NAA27993 for freebsd-hackers@freebsd.org; Wed, 29 Apr 1998 13:12:15 -0400 From: "Allen Smith" Message-Id: <9804291312.ZM27991@beatrice.rutgers.edu> Date: Wed, 29 Apr 1998 13:12:15 -0400 X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: freebsd-hackers@FreeBSD.ORG Subject: Proxy ARP for transparent firewalling: arp -s pub vs choparp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi. We've got a slightly weird situation, but it may be applicable to others. We're needing to set up a firewall to protect our systems, because the exterior Rutgers firewall isn't sufficient: A. it's rather looser than what's needed to protect SGIs (sigh...); and B. a lot of people can get access to PCs, etcetera inside the Rutgers firewall. Unfortunately, the local Network Services refuses to admit this, and won't reconfigure the building router to send packets for our machines to a firewall machine (admittedly, the router in question is old and limited in its capabilities), and also won't let us run routed on that machine to send RIP packets to do the reconfiguration itself. Therefore, the solution that I've come up with is using proxy ARP. This should work as follows: [Rutgers]---[Rutgers router]--[hub]--[our firewall]--[hub or switch]--[our machines] In this, in order to get the Network Services controlled router to direct packets that are for our machines to the firewall's exterior interface, it'll need to be sending our ARP packets that will tell the router (and the other machines on the local network) that its Ethernet interface is the one for all our machines' IP addresses. The firewall (a FreeBSD-stable machine that we're in the process of getting in from Atipa) will have ip_filter set up on it, which will use its fastroute capability to route packets to its interior interface if they're for our machines. Our machines will be set up with the firewall's interior interface (probably a private IP address, if I can get the routing set up properly for those - SGI's route implementation seems to be buggy in this regard, although that may be conflicts with routed) as their default gateway. OK. So far, fine and dandy. There are two problems, however: A. How do I get the firewall machine to broadcast (on the _exterior_ interface _only_) ARP packets for the interior machines? This comes down to a question of arp -s pub vs choparp. The former requires less machine time and no BPF interface (a definite advantage for a firewall machine, given promiscuous interface potentialities), but I'm not sure how to get it to behave properly. B. How do I make sure the firewall machine will still have the proper ARP entries when it's sending stuff inward? I've taken a look at the kernel, arp, and choparp source code, but I'm not much of a C programmer (I prefer Perl). People have mentioned arp_proxyall as a sysctl variable to me, but I'm not sure what that'll do. I sent this message to freebsd-stable before, and got some help, but I need to make sure that things will work _before_ I try doing anything like proxy ARP broadcasts - especially given the political considerations. Should I also send it to freebsd-isp, as the people with the most experience with firewalls? Thanks very much, -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message